Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 23 Anomalous activities detection and criteria for ICT-related incidents detection and response
Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities.
The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:
collect, monitor, and analyse all of the following:
internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.
For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use.
Financial entities shall log all relevant information for each detected anomalous activity enabling:
the identification of the date and time of occurrence of the anomalous activity;
the identification of the date and time of detection of the anomalous activity;
the identification of the type of the anomalous activity.
Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:
indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
adverse impact detected on financial entity’s transactions and operations;
ICT systems’ and network unavailability.
For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected.
Relevant recitals
Recital 9 Encryption and cryptographic controls
Cryptographic controls can ensure the availability, authenticity, integrity, and confidentiality of data. Financial entities referred to in Title II of this Regulation should therefore identify and implement such controls on the basis of a risk-based approach. To that end, financial entities should encrypt the data concerned at rest, in transit or, where necessary, in use, on the basis of the results of a two-pronged process, namely data classification and a comprehensive ICT risk assessment. Given the complexity of encrypting data in use, financial entities referred to in Title II of this Regulation should encrypt date in use only where that would be appropriate in light of the results of the ICT risk assessment. Financial entities referred to in Title II of this Regulation should, however, be able, where encryption of data in use is not feasible or is too complex, to protect the confidentiality, integrity, and availability of the data concerned through other ICT security measures. Given the rapid technological developments in the field of cryptographic techniques, financial entities referred to in Title II of this Regulation should remain abreast of relevant developments in cryptanalysis and consider leading practices and standards. Financial entities referred to in Title II of this Regulation should hence follow a flexible approach, based on risk mitigation and monitoring, to deal with the dynamic landscape of cryptographic threats, including threats from quantum advancements.
Recital 19 Detection of anomalous activities
To guarantee an early and effective detection of anomalous activities, financial entities referred to in Title II of this Regulation should collect, monitor, and analyse the different sources of information and should allocate related roles and responsibilities. As regards internal sources of information, logs are an extremely relevant source, but financial entities should not rely on logs alone. Instead, financial entities should consider broader information to include what is reported by other internal functions, as those functions are often a valuable source of relevant information. For the same reason, financial entities should analyse and monitor information gathered from external sources, including information provided by ICT third-party providers on incidents affecting their systems and networks, and other sources of information that financial entities consider relevant. In so far as such information constitutes personal data, the Union data protection law applies. The personal data should be limited to what is necessary for the incident detection.
Recital 20 Incident evidence retention
To facilitate ICT-related incidents detection, financial entities should retain evidence of those incidents. To ensure, on the one hand, that such evidence is retained sufficiently long and to avoid, on the other hand, an excessive regulatory burden, financial entities should determine the retention period considering, among other things, the criticality of the data and retention requirements stemming from Union law.
Recital 21 Comprehensive triggers for ICT-related incidents
To ensure that ICT-related incidents are detected in time, financial entities referred to in Title II of this Regulation should consider the criteria identified for triggering the detection of and responses to ICT-related incidents as not exhaustive. Moreover, while financial entities should consider each of those criteria, the circumstances described in the criteria should not need to occur simultaneously and the importance of the affected ICT services should be appropriately considered to trigger ICT-related incident detection and response processes.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.